Can Cloud-Based Password Managers Be Trusted? New Study Exposes Concerning Flaws

Cloud-based password managers have become a fact of life for many people, but a new study from ETH Zurich indicates that more caution in using them is warranted as they tend to suffer from some common structural vulnerabilities.

A sample size of three of the most popular and widely used password managers (Bitwarden, LastPass and DashLane) finds that they share similar vulnerabilities, and that some of these are likely not things that can be fully addressed given the nature of how cloud-based vaults protect secrets while facilitating multi-device and shared logins. While this certainly does not render them dangerously insecure or useless, the tens of millions of people that make use of them should keep their limitations and security hygiene requirements in mind.

Big differences between “zero-knowledge encryption” and end-to-end in password managers

The convenience element is the fundamental thing introducing security issues to password managers meant to be shared across devices or different users. Cloud-based password managers have become very popular given that people now tend to juggle well over 100 login credentials and have multiple devices for both work and personal use, and sharing across multiple users is also fairly common for things like projects at work and entertainment streaming services at home. The ETH Zurich study notes that the three password managers it examined collectively have about 60 million users, which is almost a quarter of the total market of some 250 million users globally.

The study identifies four broad categories of attack that these password managers tend to be vulnerable to. The simplest one has proven one of the hardest to shake: legacy encryption methods, sometimes dating back to the 1990s, that there has been great hesitancy to deprecate due to continued user demand.

For the most part, all of the attacks outlined in the study first require the user to connect to a compromised server. Much of this does thus come down to users avoiding some sort of initial personal compromise, but the study notes that some of these password managers are promising “zero-knowledge” when that is not entirely true.

Are cloud password managers safe enough to use?

Cloud-based password managers sell themselves on the inability of even the developers to see into user vaults, but these vulnerabilities indicate that is both not true in all possible circumstances and that it also does not mean that outside attackers are equally fenced off from credentials.

Each of the password managers that was tested was susceptible to at minimum six attack types; Bitwarden was the worst off of the group at 12. While all of these attack types require user interaction, it is all simple and routine actions: logging into the password manager, viewing their own vault, or syncing data between devices for example.

The assorted password managers that were tested were ethically informed of the vulnerabilities 90 days prior to publication of the study. While a good deal were patched up in response, some of the issues are “architectural” in nature and simply either too difficult or impossible to fully address. While all of this does not render cloud-based password managers too unsafe to use, it is important for their users to be aware of these issues going forward.